bitcoin-dev

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Original Postby Antoine Riard

Posted on: November 2, 2023 04:46 UTC

The email is a response to feedback received regarding the full disclosure of security vulnerabilities in lightning implementations.

The author acknowledges that there could have been better explanation or presentation of the replacement cycling issue in the initial disclosure post. They explain that as a security researcher, there is a dilemma between providing detailed information to educate the public and potentially exposing the vulnerabilities to malicious actors.

The author mentions that at the time of the full disclosure, some lightning implementations were still adding mitigations to their codebase, and the corresponding release was only tagged recently. They believe that when doing a full disclosure, it is wise to be conservative in the flow of information disclosed to avoid worsening the severity and practicality of exploitation.

There is a specific security risk mentioned that affects Bitcoin second-layers, particularly triggering panic among lightning node operators. This risk involves manually force-closing channels and congesting network mempools, which opens the door to opportunistic "flood & loot" exploitation. The author explains that this risk has been known by lightning experts for years and provides technical details on how it can be exploited.

The author addresses the announcement of stepping down from lightning development, clarifying that it was intentional to highlight the poor state of lightning security. They express concern about the replacement cycling issue, stating that it is more concerning than other major security risks known so far in the lightning ecosystem. They mention various security risks in lightning, such as pinnings, channel jamming, time dilation, dust HTLC exposure, fee or liquidity griefing, and denial-of-service attacks.

The author suggests that lightning security issues are better solved at the base-layer and that expert time is needed to make lightning more robust in the long term. They express their intention to no longer stay accountable for coordinating security issues in the lightning ecosystem due to the complexity of solving replacement cycling issues and the lack of standardized mechanisms.

The author emphasizes the need to assess the severity of vulnerabilities in order to provide adequate technical treatments. They mention the lack of discussion on the issue of "package malleability" and its impact on lightning nodes. They explain how replacement cycling attacks can break dynamic fee-bumping of pre-signed lightning states, putting forwarding nodes and other lightning nodes at risk.

The author concludes by stating that running software is an individual or business decision, but if someone is servicing customers or users, they should be mindful of the safety of their funds. They express enthusiasm about the bitcoin technical community discussing these issues and commit to answering public mails on the subject in the coming weeks and months. They also mention their plans for a real-world demonstration of a replacement cycling attack but indicate that it won't happen until at least the second semester of 2024.